Last Modified: Thu, 16 Apr 2015 20:16:12 +0000 ; Created: Thu, 16 Apr 2015 20:14:50 +0000
|Ran across an interesting technical detail while working on a PATH configuration problem in my /etc/profile. When no PATH is defined (such as when you do sudo -i) the sudo command will inject a standard one that is compiled into its code. This applies when you do not have a secure_path option either in your config or built-in as a compile option at build time.
This was important because when using bash and before your /etc/profile configures your PATH variable there will be an already existing value setup by the sudo -i command (or sudo -s env). This mostly affected me due to some invocations creating a PATH with two colons (::) in it which was a security issue for root since that implies the current working directory is in root's PATH.
Testing was done on a Red Hat 6. Sudo version 1.8.6p3 with 1.8.6p3-12.el6.
Regular (non-root) user logged in via ssh:
Before /etc/profile the sshd process sets PATH=/usr/local/bin:/bin:/usr/bin (or whatever value your OpenSSH was configured and compiled to use).
sudo -i OR sudo -s env
Before /etc/profile the sudo process sets PATH=/usr/bin:/bin:/usr/sbin:/sbin
Sudo source code that shows the value it uses